Shibboleth Developers

[Chad La Joie <>]

Nope.  That contains the same verbiage that the other SAML specs do.  It 
says it's acceptable to cache, and reuse, the symmetric keys, but it 
doesn't provide an interoperable way to do so.

You might be able to argue that for this particular profile you could 
imply that the relying party was attempting indicate that a cached key 
should be used by the lack of the EncryptedData/EncryptedKey element but 
that's hardly a standard for doing it.  That's an optional element 
according to the XML-ENC spec so the lack of it could mean anything.

Tom Scavo wrote:
> On 6/22/06, Chad La Joie 
> <>
>  wrote:
> > Tom Scavo wrote:
> > > On 6/22/06, Scott Cantor 
> > <>
> >  wrote:
> > >>
> > >> I asked around a little and determined that in SAML (or Liberty) land,
> > >> nobody's pushing much beyond per-message keys.
> > >
> > > Is it reasonable to extend this beyond a single message and think
> > > about per-transaction keys?  The responder, for example, might reuse a
> > > symmetric key in the request to encrypt a portion of the response.
> > > For example, the responder might reuse a key that was used to encrypt
> > > the NameID in the request to encrypt an assertion in the response.
> >
> > In theory I think this is possible, but it gets back to the question of
> > interoperability that Scott mentioned.  To the best of my knowledge,
> > there isn't any spec for how to do this.
>
> Is this close to what you're looking for (e.g.)?
>
> http://www.oasis-open.org/committees/download.php/18058/sstc-saml-x509-authn-attrib-profile-cd-02.pdf 
>
>
> Or are you looking for something more low-level than that?
>
> Tom

--
Chad La Joie             2052-C Harris Bldg
OIS-Middleware           202.687.0124